Learn how to spot travel phishing

Summer’s coming, and that means vacation season is on its way. A lot of people are looking through travel websites in search for interesting places to go, cheap places to stay, and tickets at interesting prices. And, as usual, scammers are eager to give them what they are looking for — sort of.

In addition to the usual tactics scammers use to rob you while you’re looking forward to having a nice vacation, these travel tricks are worth knowing before you start planning your next trip. In this post we’ll dig into some details and talk about how malefactors try to trick excited folks into believing they’re on a genuine travel website. All of these methods were spotted in the wild by Kaspersky Lab’s researchers during late April and early May, and you can thwart them all with three simple best practices.

Learn how to spot travel phishing

1. Look at the address bar

The most common advice on protection against phishing is to use simple vigilance, but still, if cybercriminals manage to create a really impressive looking clone of the original website, a lot of people forget this simple step and don’t look at the URL to see what website they’re actually on. And malefactors know how to make us unwary.

For example, take a look at this sweet deal: a nice cozy apartment for just €14 a day. Interesting, huh? And the site looks as if it’s really Airbnb.com. The design, the comments from different people describing their pleasant time at the apartment and being so pleased with the host — everything looks so real. Anything you’d expect to find on Airbnb, you’ll find here.

Except it’s not Airbnb. It’s a fake. If you look at the URL in the address bar, you’ll see something like this: abnb63213491.byethost8.com/rooms/7858853. Doesn’t look like airbnb.com, does it?

The scam usually goes as follows: After a short conversation the “host” will ask you to send a certain amount of money to reserve the apartment for you. Once you do that, they stop responding.

How do people usually get to pages such as this one? Similar offers can be found in spam e-mails, in messaging apps, and in social networks. Sometimes, they pop up in ads on search engines or social networks.

By the way, even though scammers invest quite some time in creating such convincing website clones, they are still mostly lazy. Here’s another example of a phishing Airbnb page, and you may notice that comments here are left by the very same “guests” as on the previous page. Once you know that, it’s tough to take these pages seriously.

2. Look closer: Tricky letters

Now let’s take a look at another site, also neatly designed and resembling a real one. Now that you know to look at the URL first, you can do that. The first thing you should notice is that the URL seems to include booking.com, but the site looks as if it belongs to another travel giant, Expedia. But, OK, perhaps one of them bought the other one or something else happened — it’s not your job to keep track of travel mergers, after all. You’re just here to get a good deal on plane tickets or a place to stay.

But take a closer look at the URL, especially at the letters in the word booking. Notice those weird symbols below the letters k, i, n and g? That’s not dirt on your screen or a computer glitch. In fact, these are different letters. They’re part of the Latvian alphabet — and yes, booķįņg.com and booking.com are completely different websites.

So, a quick glance at the URL may not be enough to spot the phish. You need to look closely; scammers really love using alternative alphabets to disguise phishing page URLs. To be sure, click on the lock at the left of the address bar and choose “Show certificate” to take a look at who the site’s real owner is.

3. Look twice: URL shorteners

Another tactic scammers employ to try to fool you is using URL shorteners. Say you see a link somewhere advertising cheap rentals or discounts on airline tickets, and the link looks shortened. Thanks to Twitter, we’re all used to shortened URLs, and links beginning with t.co or goo.gl don’t surprise us at all. We treat those links as legitimate. So why should we worry about links beginning with, say, twixar.me or tinyurl.com — these certainly look like the results of using yet another shortener.

And they are, but you should never trust shortened URLs. If you click on a shortened link, you always have to check where exactly it brought you. Shortened links aren’t necessarily malicious, but they can be. You could end up on a fake Expedia page like the one below, where you will be prompted to enter your login and password for Expedia (for instant transfer to cybercriminals). Oh, and in this case the fake page also asks for your e-mail password, which you should never, ever enter anywhere but your e-mail provider’s website or e-mail apps.

As for Airbnb accounts, malefactors like to steal them for later use in money laundering. They use your account to offer places to stay and other accounts to pay for those stays, making the money appear to have been legitimately earned.

4. Bonus: Detecting travel spam

One of the easiest ways to lure people to phishing pages is send them very convincing messages. And that’s what criminals do. The problem is, it may be hard to realize that the message from yet another airline company is a fake one. Looking into the “sender” field doesn’t give you much as e-mail protocol allows you to send mail from any address. The content may be thoroughly copied from the original mailing of the same airline.

What gives the malefactors away is the link address. They want you to land on a website, and so they have to direct you there with a link or a button. But if you hover your cursor over that link, the URL’s destination address will appear (in the bottom left corner of your browser or e-mail app, for example). And since you’ve read the rest of this post, you know what to look for.

Tips to spot travel phishing

Now that you know the tricks scammers use to fool you, you can stay on the safe side and avoid their phishing nets. Let’s quickly sum up a few short tips on how not to fall for phishing (you can read more about protection from phishing in general in this post):

  • If an offer seems too good to be true, it probably is. Best to avoid it.
  • Carefully look at the address bar before entering any sensitive information such as your login and password. If something is wrong with the URL (it’s misspelled, doesn’t look like the original or uses some special symbols instead of letters), don’t enter anything on such sites. When in doubt, check the certificate of the site by clicking on the lock icon to the left of the URL.
  • Book your stay and tickets only on trusted websites of trusted providers, ideally typing the address of their website manually in the address bar.
  • Don’t click on links coming from unknown sources (be it in e-mails, messaging apps, or social networks).
  • If you see a giveaway from a travel company or an airline either in e-mail or on social media, visit the business’s official website to confirm the giveaway actually exists. Also, carefully check the links the giveaway ad leads you to.
  • Use a good security solution that can protect you from spam and phishing. We recommend Kaspersky Security Cloud.